Certificate reference: DPA/S27/SIS 


SECTION 27 DATA PROTECTION ACT 2018 


CERTIFICATE OF THE SECRETARY OF STATE 


1. Whe: eas: 


1.1 


by section 26(2) of the Data Protection Act 2018 (“the Act”) it is 
provided that personal data is exempt from certain provisions of the Act 
if the exemption from that provision is required for the purpose of 
safeguarding national security. For information, a full list of these 
provisions is provided at Annex A. 


1.2 by section 27(1) it is provided that a certificate signed by a Minister of 
the Crown certifying that an exemption from all or any of the provisions 
mentioned in section 26(2) is or at any time was required for the 
purpose of safeguarding national security in respect of any personal 
data shall be conclusive evidence of that fact; 

1.3 by section 27(2), it is provided that a certificate under section 27(1) 
may identify the personal data to which it applies by means of a 
general description and may be expressed to have prospective effect. 

2. And considering the potentially serious adverse repercussions for the 
national security of the United Kingdom if the exemptions hereafter identified were 
not available. 
3. And for the reasons set out below: 

3.1 The intelligence services (the Security Service, the Secret Intelligence 


3.2 


3.3 


Service and the Government Communications Headquarters), where 
this is necessary in the proper discharge of their respective statutory 
functions, obtain data from and disclose data to organisations that are 
subject to the GDPR and such organisations cooperate with the 
intelligence services by processing data for national security purposes 
on their behalf. 


The work of the Secret Intelligence Service (SIS) requires secrecy. 


The general principle of neither confirming nor denying whether the 
intelligence services process data about an individual, or whether 
others are processing personal data for, on behalf of, with a view to 
assisting, working with, or in relation to the functions of the intelligence 
services is an essential part of that secrecy. 


3.4 In dealing with requests asserting the rights of data subjects (Part 2, 
Chapter 3) under the Data Protection Act 2018, the controller will 
examine each individual request to determine, after consultation with 
SIS: 


i) whether adherence to that general principle is required for the purpose of 
safeguarding national security; and 


ii) in the event that such adherence is not required, whether and to what 
extent the non-communication of any data or any description of data is 
required for the purpose of safeguarding national security. 


4. Now, therefore, |, the Right Hon Jeremy Hunt MP, being a Minister of the 
Crown who is a member of the Cabinet, in exercise of the powers conferred by the 
said section 27(1) do issue this certificate and certify that any personal data that is 
processed by an organisation as described in Column 1 in the table below are and 
shall continue to be required to be exempt from those provisions of the Act that are 
set out in Column 2. 


(a) for, on behalf of, at the request 
of or with the aid or assistance of i. GDPR Article 5(1)(a), so far as it requires 
SIS or processing to be fair and transparent 


(b) where such processing is li. GDPR Article 5(1)(b) and (d) 
necessary to facilitate the proper D , 

discharge of the functions of SIS . GDPR Article 10 

described in section 1 of the 
Intelligence Services Act 1994 


GDPR Articles 13-19 
GDPR Articles 21-22 

GDPR Articles 33-34 

GDPR Articles 44-49 

GDPR Article 57(1)(a) and (h); 

GDPR Article 58(1)(a), (b), (e), (f); Article 
58(2)(c), (e), (f), (g), 0); Article 58(3)(b); 
Article 58(5). 


Data Protection Act section 115 (3) and 
(5)-(8) 


Data Protection Act section 119 
Data Protection Act section 146 
Data Protection Act sections 148-151 
Data Protection Act section 154 
Data Protection Act sections 170-173 


Data Protection Act Schedule 15 


Expires 


ANNEX A 


Provision 


Notes 


GDPR Article 5(1)(a), so far as it 
requires processing to be fair and 
| transparent 


Data protection principles 


GDPR Article 5(1)(b)-(f) and 5(2) 


Data protection principles 


GDPR Article 7 


Conditions for consent 


GDPR Article 8 


Child’s consent 


| GDPR Article 10 


Criminal convictions data 


| GDPR Article 11 


Processing which does not require 
identification 


| GDPR Articles 12-22 


Rights of Data Subjects, Chapter III 


| GDPR Articles 33-34 


Communication of personal data 
breaches 


GDPR Articles 44-50 


Transfers of personal data to third 
countries or international organisations, 
Chapter V 


GDPR Article 57(1)(a) and (h) 


Commissioner’s duties to monitor and 
enforce the applied GDPR and to 
conduct investigations 


GDPR Article 58 


Investigative, corrective, authorisation 
and advisory powers of Commissioner 


Applied GDPR Articles 77-82 


Remedies, liabilities and penalties 


Data Protection Act Section 115(3) and 
115(8) 


General functions of the Commissioner 


Data Protection Act Section 115 (9) , so 
far as it relates to Article 58(2)(i) of the 
applied GDPR; 


General functions of the Commissioner 


Data Protection Act section 119 


Inspection in accordance with 
international obligations 


Data Protection Act sections 142-154 


Commissioner’s notices and powers of 
entry and inspection 


Data Protection Act sections 170-173 


Offences relating to personal data 


Data Protection Act Section 187 


Representation of data subjects 


Data Protection Act Schedule 15 


Powers of entry and inspection 
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